Passport Scandal Puts Spotlight on PrivacyCustomer Confidentiality Isn't Just Right - it's Required
But the latest State Department scandal nevertheless holds a relevant lesson for financial institutions: Be ever mindful of your customers' privacy. Confidentiality -- the lack of it when it comes to your customers' records -- sets off examiners' alarm bells. Maintaining such confidentiality isn't just a good practice; it's mandatory. The Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act (FACTA) both require financial institutions to protect customer information.
Notes from a Scandal
Two State Department employees were fired and a third disciplined for improperly accessing electronic personal data on Democratic presidential candidate Sen. Barack Obama. The State Department employees were all contract workers and used their authorized computer network access to look up files within the department's consular affairs section. This network processes and stores passport information. The contract workers read Obama's passport application and other records, in violation of department privacy rules. Later it was revealed that both Hillary Clinton's passport file and John McCain's passport files were also looked at by unauthorized staffers. Automated network monitoring of the system flagged the unauthorized access called "imprudent curiosity."
As the political world discussed implications of the breaches - these files contained private data that, in the wrong hands, could lead to Identity Theft -- the banking community took the object lesson to heart and indulged in some self-examination about confidentiality rules and procedures.
Confidentiality has always been a long-standing part of the banking culture, says Rob Rowe, Senior Regulatory Counsel with the Independent Community Bankers of America (ICBA). Rowe remembers when he began his career in banking nearly 30 years ago, "It was made very clear when hired at the bank that you would see things, and it was confidential. It was clearly understood you may see things that you would not discuss at home."
There is a culture of trust in the banking industry, he says, paraphrasing an advertisement, "What goes on in the bank, stays at the bank."
More can be done to protect customer information, especially at credit unions and medium-to-smaller-sized banks, says Steve Marchewitz, Vice President of SecureState, an Ohio-based information security consulting firm. "In general, they are not doing enough around security," Marchewitz says. "They are typically doing the bare minimums to get by and hoping for the best. This is true for external security and internal security."
Marchewitz says his firm sees simple things like data classification lacking at some institutions. This could be remedied simply by making data available only on a "need-to-know" basis, "So if you don't need to know, you don't need to have access to it," he says. "This is a simple (though not always easy) step to building a common sense approach to security. In the government, we understand this and have all heard of secret, top secret, public, etc. but in general this has not made its way to the financial institutions."
Steps Going Forward
The passport breach, along with other recent headlines of Britney Spears and George Clooney hospital records being looked at, all serve as cautionary tales for institutions, says Avivah Litan, Gartner Group's Vice President and Distinguished Analyst. "This should heighten concerns at banks and credit unions so they re-examine their identity access and management processes and systems," Litan says. "Most financial institutions have invested considerable sums in procedures and systems that limit access to sensitive customer data to those with a strict 'business need-to-know' due to heavy regulatory requirements on banks and credit unions."
Litan notes while these projects and systems are costly and cumbersome, "Rarely can a bank 'call it quits' and say they are 'finished.'"
Litan suggests institutions revisit the business and system processes around employee access to sensitive customer data. "Don't forget about the paper files either," Litan says. "Make sure you set up rules and systems to limit access to those with a need to know, and implement monitoring systems to make sure your policies are followed."
Reminding employees and contractors of their responsibilities to protect customer information can include having them sign pre-employment agreements and a code of ethics statement. ICBA's Rowe says many institutions have a code of ethics that many make employees sign every year. "This should serve as a reminder that they must protect customer information and keep it confidential."
This doesn't mean that customers should be alarmed by these news stories and think their personal records will end up public fodder. "Unless your name happens to begin with Barack or Britney, most contractors are going to be less than inclined to look at your banking history for purely voyeuristic purposes," says Nick Holland, information security analyst at the Aite Group, a Boston-based consultancy. Nonetheless, contractors must also adhere to codes of practice and compliance that regular bank and credit union employees are subject to already.
Setting access controls within your institution will remove the temptation if someone famous - say, George Clooney -- comes into the bank to do business, says Rowe. Every institution has some kind of variation on these access controls, whether they are manual or technology-based. "So if a teller pulls up George Clooney's records and has no reason to do so, then someone will be having a heart-to-heart with that teller to find out how this happened," Rowe says.
While the system of controls isn't always perfect, and someone could get records they're not supposed to get, "The repercussions are well known," Rowe says. "The ramification for that employee could mean they lose their job."